Type error with sops_decrypt_file and yamldecode

[antoinerrr]

Hi Terraform v1.1.8 Terragrunt v0.36.6

I have a strange error where yamldecode is not using the good type for a data decrypted with sops_decrypt_file (data is a str, but try to decode int):

ERRO[0000]    8:     yamldecode(sops_decrypt_file(find_in_parent_folders("variables/secrets.enc.yml")))
ERRO[0000]
ERRO[0000] Call to function "yamldecode" failed: on line 2, column 27: cannot parse
"0xeeeeeeeee" as
tag:yaml.org,2002:int.

0xeeeeeeeee is in my case an hexa string (I think the 0x at the beginning is causing the issue)

File before sops encode:

secrets:
  SOME SECRET: "0xeeeeeee" 

File after sops encode:

secrets:
    SECRET: ENC[AES256_GCM,data:MY_ENCODED_DATA=,tag:71+xxxxx==,type:str]
sops:
   *sops config stuff*

As you can see the data is tagged as a string.

So I don't know if the issue is with the terra grunt function sops_decrypt_file who maybe transform my data to an int or if the issue is with the terraform function yamldecode who just do not understand string starting with 0x

Thank you

[denis256]

Hi, does this issue occur only when terragrunt tries to decrypt files? the file will be decrypted successfully with the sops command?

[antoinerrr]

Hi, Yes the sops -d command work as expected and return a proper yaml.

[denis256]

Hi, I tested on v0.36.6 and on v0.37.1 and didn't get mentioned error, yaml files got decrypted and passed as variables

Full example in: https://github.com/denis256/terragrunt-tests/tree/master/issue-2103

[antoinerrr]

Hi @denis256 Sorry if my exemple wasn't clear, "0xeee" was just a place holder for the real value. You can test it again but with any blockchain contract/address you want to have the error, for exemple you can try with the value: "0x629A673A8242c2AC4B7B8C5D8735fbeac21A6205"

Thank you

[denis256]

Hi, this helped to get the same error :+1:

after more tests I found that the issue is with value returned from sops decryption function which didn't return value in quotes, this can be also observed using CLI sops:

$ cat file.yaml 
secrets:
  SOME SECRET: "0x629A673A8242c2AC4B7B8C5D8735fbeac21A6205"

$ sops --encrypt ... file.yaml > file.enc.yaml
$ sops -d file.enc.yaml

secrets:
    SOME SECRET: 0x629A673A8242c2AC4B7B8C5D8735fbeac21A6205

(quotes got removed...)

This is a known issue in sops and go-yaml:

https://github.com/mozilla/sops/issues/1003 https://github.com/go-yaml/yaml/issues/435

To overcome this issue in terragrunt, I was thinking about:

• remove "0x" from the encrypted file and concatenate it later, after decryption
• save the encrypted value in a plain text file and decode it in a separated variable

[antoinerrr]

Thanks for the help, option 1 is what I ended up doing, not super clean but do the job.